Search in sources :

Example 96 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class CreateRobot method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException if an I/O error occurs
 * @throws org.cerberus.exception.CerberusException
 * @throws org.json.JSONException
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
    JSONObject jsonResponse = new JSONObject();
    Answer ans = new Answer();
    Gson gson = new Gson();
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    ans.setResultMessage(msg);
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    response.setContentType("application/json");
    String charset = request.getCharacterEncoding();
    /**
     * Parsing and securing all required parameters.
     */
    // Parameter that are already controled by GUI (no need to decode) --> We SECURE them
    // Parameter that needs to be secured --> We SECURE+DECODE them
    String robot = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("robot"), null, charset);
    String port = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("port"), null, charset);
    String platform = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("platform"), null, charset);
    String browser = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("browser"), null, charset);
    String version = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("version"), "", charset);
    String active = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("active"), "Y", charset);
    String description = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("description"), "", charset);
    String userAgent = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("useragent"), "", charset);
    String screenSize = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("screensize"), "", charset);
    String robotDecli = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("robotDecli"), "", charset);
    String hostUser = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("hostUsername"), null, charset);
    String hostPassword = ParameterParserUtil.parseStringParamAndDecodeAndSanitize(request.getParameter("hostPassword"), null, charset);
    List<RobotCapability> capabilities = (List<RobotCapability>) (request.getParameter("capabilities") == null ? Collections.emptyList() : gson.fromJson(request.getParameter("capabilities"), new TypeToken<List<RobotCapability>>() {
    }.getType()));
    // Parameter that we cannot secure as we need the html --> We DECODE them
    String host = ParameterParserUtil.parseStringParamAndDecode(request.getParameter("host"), null, charset);
    // Securing capabilities by setting them the associated robot name
    // Check also if there is no duplicated capability
    Map<String, Object> capabilityMap = new HashMap<String, Object>();
    for (RobotCapability capability : capabilities) {
        capabilityMap.put(capability.getCapability(), null);
        capability.setRobot(robot);
    }
    Integer robotid = 0;
    boolean robotid_error = false;
    try {
        if (request.getParameter("robotid") != null && !request.getParameter("robotid").equals("")) {
            robotid = Integer.valueOf(policy.sanitize(request.getParameter("robotid")));
        }
    } catch (Exception ex) {
        robotid_error = true;
    }
    /**
     * Checking all constrains before calling the services.
     */
    if (StringUtil.isNullOrEmpty(robot)) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Robot name is missing."));
        ans.setResultMessage(msg);
    } else if (StringUtil.isNullOrEmpty(host)) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Robot host is missing."));
        ans.setResultMessage(msg);
    } else if (StringUtil.isNullOrEmpty(platform)) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Robot platform is missing."));
        ans.setResultMessage(msg);
    } else if (robotid_error) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "Could not manage to convert robotid to an integer value or robotid is missing."));
        ans.setResultMessage(msg);
    } else if (capabilityMap.size() != capabilities.size()) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "Robot").replace("%OPERATION%", "Create").replace("%REASON%", "There is at least one duplicated capability. Please edit or remove it to continue."));
        ans.setResultMessage(msg);
    } else {
        /**
         * All data seems cleans so we can call the services.
         */
        ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
        IRobotService robotService = appContext.getBean(IRobotService.class);
        IFactoryRobot robotFactory = appContext.getBean(IFactoryRobot.class);
        Robot robotData = robotFactory.create(robotid, robot, host, port, platform, browser, version, active, description, userAgent, screenSize, hostUser, hostPassword, capabilities, robotDecli);
        ans = robotService.create(robotData);
        if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
            /**
             * Object created. Adding Log entry.
             */
            ILogEventService logEventService = appContext.getBean(LogEventService.class);
            logEventService.createForPrivateCalls("/CreateRobot", "CREATE", "Create Robot : ['" + robot + "']", request);
        }
    }
    /**
     * Formating and returning the json result.
     */
    jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
    jsonResponse.put("message", ans.getResultMessage().getDescription());
    response.getWriter().print(jsonResponse);
    response.getWriter().flush();
}
Also used : PolicyFactory(org.owasp.html.PolicyFactory) HashMap(java.util.HashMap) MessageEvent(org.cerberus.engine.entity.MessageEvent) Gson(com.google.gson.Gson) ServletException(javax.servlet.ServletException) JSONException(org.json.JSONException) IOException(java.io.IOException) CerberusException(org.cerberus.exception.CerberusException) IRobotService(org.cerberus.crud.service.IRobotService) Answer(org.cerberus.util.answer.Answer) ApplicationContext(org.springframework.context.ApplicationContext) IFactoryRobot(org.cerberus.crud.factory.IFactoryRobot) JSONObject(org.json.JSONObject) ILogEventService(org.cerberus.crud.service.ILogEventService) List(java.util.List) JSONObject(org.json.JSONObject) RobotCapability(org.cerberus.crud.entity.RobotCapability) IFactoryRobot(org.cerberus.crud.factory.IFactoryRobot) Robot(org.cerberus.crud.entity.Robot)

Example 97 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class ReadDeployType method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException if an I/O error occurs
 * @throws org.cerberus.exception.CerberusException
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException {
    String echo = request.getParameter("sEcho");
    ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    response.setContentType("application/json");
    response.setCharacterEncoding("utf8");
    // Calling Servlet Transversal Util.
    ServletUtil.servletStart(request);
    // Default message to unexpected error.
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    /**
     * Parsing and securing all required parameters.
     */
    // Nothing to do here as no parameter to check.
    // 
    // Global boolean on the servlet that define if the user has permition to edit and delete object.
    boolean userHasPermissions = request.isUserInRole("Integrator");
    // Get Parameters
    String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
    // Init Answer with potencial error from Parsing parameter.
    AnswerItem answer = new AnswerItem(msg);
    try {
        JSONObject jsonResponse = new JSONObject();
        if (!columnName.isEmpty()) {
            answer = findDistinctValuesOfColumn(appContext, request, columnName);
            jsonResponse = (JSONObject) answer.getItem();
        } else if (request.getParameter("deploytype") == null) {
            answer = findDeployTypeList(appContext, userHasPermissions, request);
            jsonResponse = (JSONObject) answer.getItem();
        } else {
            String deployType = policy.sanitize(request.getParameter("deploytype"));
            answer = findDeployTypeByID(deployType, appContext, userHasPermissions);
            jsonResponse = (JSONObject) answer.getItem();
        }
        jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
        jsonResponse.put("message", answer.getResultMessage().getDescription());
        jsonResponse.put("sEcho", echo);
        response.getWriter().print(jsonResponse.toString());
    } catch (JSONException e) {
        LOG.warn(e);
        // returns a default error message with the json format that is able to be parsed by the client-side
        response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
    }
}
Also used : ApplicationContext(org.springframework.context.ApplicationContext) PolicyFactory(org.owasp.html.PolicyFactory) JSONObject(org.json.JSONObject) MessageEvent(org.cerberus.engine.entity.MessageEvent) JSONException(org.json.JSONException) AnswerItem(org.cerberus.util.answer.AnswerItem)

Example 98 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class ReadSqlLibrary method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request  servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException      if an I/O error occurs
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    // Get SqlLibrarys
    String echo = request.getParameter("sEcho");
    String columnName = ParameterParserUtil.parseStringParam(request.getParameter("columnName"), "");
    ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
    response.setContentType("application/json");
    response.setCharacterEncoding("utf8");
    // Calling Servlet Transversal Util.
    ServletUtil.servletStart(request);
    // Default message to unexpected error.
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    /**
     * Parsing and securing all required sqlLibrarys.
     */
    // Nothing to do here as no sqlLibrary to check.
    // 
    // Global boolean on the servlet that define if the user has permition to edit and delete object.
    boolean userHasPermissions = request.isUserInRole("TestAdmin");
    // Init Answer with potencial error from Parsing sqlLibrary.
    AnswerItem answer = new AnswerItem(new MessageEvent(MessageEventEnum.DATA_OPERATION_OK));
    try {
        JSONObject jsonResponse;
        String system;
        if (request.getParameter("name") == null && Strings.isNullOrEmpty(columnName)) {
            answer = findSqlLibraryList(appContext, userHasPermissions, request);
            jsonResponse = (JSONObject) answer.getItem();
        } else if (!Strings.isNullOrEmpty(columnName)) {
            answer = findDistinctValuesOfColumn(appContext, request, columnName);
            jsonResponse = (JSONObject) answer.getItem();
        } else {
            answer = findSqlLibraryBySystemByKey(request.getParameter("name"), appContext, userHasPermissions);
            jsonResponse = (JSONObject) answer.getItem();
        }
        jsonResponse.put("messageType", answer.getResultMessage().getMessage().getCodeString());
        jsonResponse.put("message", answer.getResultMessage().getDescription());
        jsonResponse.put("sEcho", echo);
        response.getWriter().print(jsonResponse.toString());
    } catch (JSONException e) {
        LOG.warn(e);
        // returns a default error message with the json format that is able to be parsed by the client-side
        response.getWriter().print(AnswerUtil.createGenericErrorAnswer());
    }
}
Also used : ApplicationContext(org.springframework.context.ApplicationContext) PolicyFactory(org.owasp.html.PolicyFactory) JSONObject(org.json.JSONObject) MessageEvent(org.cerberus.engine.entity.MessageEvent) JSONException(org.json.JSONException) AnswerItem(org.cerberus.util.answer.AnswerItem)

Example 99 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class UpdateApplication method getCountryEnvironmentApplicationFromParameter.

private List<CountryEnvironmentParameters> getCountryEnvironmentApplicationFromParameter(HttpServletRequest request, ApplicationContext appContext, String system, String application, JSONArray json) throws JSONException {
    List<CountryEnvironmentParameters> cedList = new ArrayList();
    ICountryEnvironmentParametersService ceaService = appContext.getBean(ICountryEnvironmentParametersService.class);
    IFactoryCountryEnvironmentParameters cedFactory = appContext.getBean(IFactoryCountryEnvironmentParameters.class);
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    String charset = request.getCharacterEncoding();
    for (int i = 0; i < json.length(); i++) {
        JSONObject tcsaJson = json.getJSONObject(i);
        // Parameter that are already controled by GUI (no need to decode) --> We SECURE them
        boolean delete = tcsaJson.getBoolean("toDelete");
        String country = policy.sanitize(tcsaJson.getString("country"));
        String environment = policy.sanitize(tcsaJson.getString("environment"));
        // Parameter that needs to be secured --> We SECURE+DECODE them
        // Parameter that we cannot secure as we need the html --> We DECODE them
        String ip = tcsaJson.getString("ip");
        String domain = tcsaJson.getString("domain");
        String url = tcsaJson.getString("url");
        String urlLogin = tcsaJson.getString("urlLogin");
        String var1 = tcsaJson.getString("var1");
        String var2 = tcsaJson.getString("var2");
        String var3 = tcsaJson.getString("var3");
        String var4 = tcsaJson.getString("var4");
        String strPoolSize = tcsaJson.getString("poolSize");
        int poolSize;
        if (strPoolSize.isEmpty()) {
            poolSize = CountryEnvironmentParameters.DEFAULT_POOLSIZE;
        } else {
            try {
                poolSize = Integer.parseInt(strPoolSize);
            } catch (NumberFormatException e) {
                LOG.warn("Unable to parse pool size: " + strPoolSize + ". Applying default value");
                poolSize = CountryEnvironmentParameters.DEFAULT_POOLSIZE;
            }
        }
        if (!delete) {
            CountryEnvironmentParameters ced = cedFactory.create(system, country, environment, application, ip, domain, url, urlLogin, var1, var2, var3, var4, poolSize);
            cedList.add(ced);
        }
    }
    return cedList;
}
Also used : PolicyFactory(org.owasp.html.PolicyFactory) JSONObject(org.json.JSONObject) ArrayList(java.util.ArrayList) IFactoryCountryEnvironmentParameters(org.cerberus.crud.factory.IFactoryCountryEnvironmentParameters) CountryEnvironmentParameters(org.cerberus.crud.entity.CountryEnvironmentParameters) IFactoryCountryEnvironmentParameters(org.cerberus.crud.factory.IFactoryCountryEnvironmentParameters) ICountryEnvironmentParametersService(org.cerberus.crud.service.ICountryEnvironmentParametersService)

Example 100 with PolicyFactory

use of org.owasp.html.PolicyFactory in project cerberus-source by cerberustesting.

the class UpdateDeployType method processRequest.

/**
 * Processes requests for both HTTP <code>GET</code> and <code>POST</code>
 * methods.
 *
 * @param request servlet request
 * @param response servlet response
 * @throws ServletException if a servlet-specific error occurs
 * @throws IOException if an I/O error occurs
 */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, CerberusException, JSONException {
    JSONObject jsonResponse = new JSONObject();
    Answer ans = new Answer();
    MessageEvent msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_UNEXPECTED);
    msg.setDescription(msg.getDescription().replace("%DESCRIPTION%", ""));
    ans.setResultMessage(msg);
    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
    response.setContentType("application/json");
    // Calling Servlet Transversal Util.
    ServletUtil.servletStart(request);
    /**
     * Parsing and securing all required parameters.
     */
    String deployType = policy.sanitize(request.getParameter("deploytype"));
    String description = policy.sanitize(request.getParameter("description"));
    /**
     * Checking all constrains before calling the services.
     */
    if (StringUtil.isNullOrEmpty(deployType)) {
        msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
        msg.setDescription(msg.getDescription().replace("%ITEM%", "Deploy Type").replace("%OPERATION%", "Update").replace("%REASON%", "Deploy Type (deploytype) is missing"));
        ans.setResultMessage(msg);
    } else {
        /**
         * All data seems cleans so we can call the services.
         */
        ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
        IDeployTypeService deployTypeService = appContext.getBean(IDeployTypeService.class);
        AnswerItem resp = deployTypeService.readByKey(deployType);
        if (!(resp.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode()) && resp.getItem() != null)) {
            /**
             * Object could not be found. We stop here and report the error.
             */
            msg = new MessageEvent(MessageEventEnum.DATA_OPERATION_ERROR_EXPECTED);
            msg.setDescription(msg.getDescription().replace("%ITEM%", "Deploy Type").replace("%OPERATION%", "Update").replace("%REASON%", "Deploy Type does not exist."));
            ans.setResultMessage(msg);
        } else {
            /**
             * The service was able to perform the query and confirm the
             * object exist, then we can update it.
             */
            DeployType deployTypeData = (DeployType) resp.getItem();
            deployTypeData.setDescription(description);
            ans = deployTypeService.update(deployTypeData);
            if (ans.isCodeEquals(MessageEventEnum.DATA_OPERATION_OK.getCode())) {
                /**
                 * Update was successful. Adding Log entry.
                 */
                ILogEventService logEventService = appContext.getBean(LogEventService.class);
                logEventService.createForPrivateCalls("/UpdateDeployType", "UPDATE", "Updated Deploy Type : ['" + deployType + "']", request);
            }
        }
    }
    /**
     * Formating and returning the json result.
     */
    jsonResponse.put("messageType", ans.getResultMessage().getMessage().getCodeString());
    jsonResponse.put("message", ans.getResultMessage().getDescription());
    response.getWriter().print(jsonResponse);
    response.getWriter().flush();
}
Also used : DeployType(org.cerberus.crud.entity.DeployType) Answer(org.cerberus.util.answer.Answer) ApplicationContext(org.springframework.context.ApplicationContext) JSONObject(org.json.JSONObject) PolicyFactory(org.owasp.html.PolicyFactory) MessageEvent(org.cerberus.engine.entity.MessageEvent) ILogEventService(org.cerberus.crud.service.ILogEventService) IDeployTypeService(org.cerberus.crud.service.IDeployTypeService) AnswerItem(org.cerberus.util.answer.AnswerItem)

Aggregations

PolicyFactory (org.owasp.html.PolicyFactory)123 ApplicationContext (org.springframework.context.ApplicationContext)116 JSONObject (org.json.JSONObject)115 MessageEvent (org.cerberus.engine.entity.MessageEvent)93 AnswerItem (org.cerberus.util.answer.AnswerItem)74 JSONException (org.json.JSONException)70 ILogEventService (org.cerberus.crud.service.ILogEventService)62 Answer (org.cerberus.util.answer.Answer)60 CerberusException (org.cerberus.exception.CerberusException)35 IOException (java.io.IOException)32 ServletException (javax.servlet.ServletException)31 JSONArray (org.json.JSONArray)24 ITestCaseService (org.cerberus.crud.service.ITestCaseService)19 TestCase (org.cerberus.crud.entity.TestCase)17 ArrayList (java.util.ArrayList)14 LogEventService (org.cerberus.crud.service.impl.LogEventService)11 TestCaseStep (org.cerberus.crud.entity.TestCaseStep)10 IParameterService (org.cerberus.crud.service.IParameterService)9 TestCaseCountry (org.cerberus.crud.entity.TestCaseCountry)7 ICountryEnvParamService (org.cerberus.crud.service.ICountryEnvParamService)7